I've created a web application but I'm worried about security. Right now I am using PHP Session values as the sole means of securing my site, and I know that session can be spoofed and that this is not fully secure.
More specifically, when a user logs in their user ID is stored as a session variable and then each page that requires authentication checks to make sure that the session variable is set, and if it is the program then it calls the user ID via the session variable to display that user's data.
Obviously this is not very secure... what steps should I take to make this a much more secure system?
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
each page that requires authentication checks to make sure that the session variable is set
So you aren't actually doing any authentication after the login - you are just relying on a session variable being set. That part doesn't seem very secure at all, to me. You might want to store the sessionid of the logged in user in a record in the database (alongside the userid). Then, every time a page is requested that requires authentication, compare the sessionid that is requesting the page, and make sure it matches the sessionid that is in the database alongside the correct userid. Hopefully that's not too confusing for you.
I've switched careers...
I'm NO LONGER a scientist,
but now a web developer...
awesome.
So you aren't actually doing any authentication after the login - you are just relying on a session variable being set. That part doesn't seem very secure at all, to me. You might want to store the sessionid of the logged in user in a record in the database (alongside the userid). Then, every time a page is requested that requires authentication, compare the sessionid that is requesting the page, and make sure it matches the sessionid that is in the database alongside the correct userid. Hopefully that's not too confusing for you.
Ah yes, that should work...
So the idea would be that when the user logs in I would assign a sessionid session variable and insert that value into a sessionid field in the database record corresponding to that user. Then each page that the user visits would check the 'sessionid' session variable against the value that was stored in the database when they logged in. If they log out and the session variable is destroyed, then at that point the session would not function because the user would need to re-login in order for the database to match the session variable?
Are there any limitations to this or ways around it that aren't obvious to me?
This seems generally useless to me. When a PHP session is created, a unique session ID is generated. That ID is set in a cookie to be shared with the client, and the session data is saved in a file with a name based on that ID (or in a database based on that ID if you elect to go that route). Saving the ID in the database for that user is meaningless if the way you know who the user is (once s/he is logged in) is based on a value in the session data. In other words, if a session gets "hijacked", the 'hijacker" is going to appear to be that user, and by definition s/he will have hijacked that user's session ID, and so it will automatically match the ID saved in the database.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
Session Security question
Reply With Quote
Originally Posted by aj_nsc
Bookmarks